Saturday, December 25, 2010

Access Authentication

Two-factor authentication is based on something a user possesses (such as a CAC card) and something a user knows (a password).

CAC stores 64KB of data storage and memory on a single integrated circuit chip. The CAC embeds a persons’ Public Key Infrastructure (PKI) certificate (from the National Security Agency). It includes data storage, a magnetic stripe and bar codes. This enables cardholders to sign documents digitally, encrypt emails, and establish secure online network connections.

CAC authorizations originate from the Authentication Data Repository  (ADR).  ADR is part of the Defense Enrollment Eligibility Reporting System (DEERS), a service of the Defense Manpower Data Center (DMDC). The DMDC Identity Authentication Office (IAO) then provides web services to customers needing an authentication approval, which in turn must be then synchronized with Component human resources applications, which finally deliver the CAC. *

The CAC also requires a CAC-reader, which is attached to a computer or a smart phone device. CAC reader installation process is cumbersome. **

The information stored on a CAC cannot be used alone for access authorization without entry of a password. Since passwords can be cracked and are hard to revoke or invalidate, automatic password generation devices are preferred in most cases involving SECRET or high-level classification.

The preferred way for obtaining a password is to generate it by means of a security token. That is a physical device that makes up the second factor in a two-factor authorization method.

Security tokens are used to confirm one's identity electronically. They have an internal battery that makes it possible to generate random password every sixty seconds. The system that confirms the token generated code must contain additional software for secure synchronization with data contained on the CAC.  There is a great diversity in methods, device types as well as vendors who supply for authorization synchronization. ***


DoD access authorization methods are vulnerable. The actual revocation of a CAC card is not a real-time event and is not performed by the DMDC but by Components who rely on diverse and inconsistent personnel applications. Ideally, the revocation of a CAC card could be triggered from a Network Operations Center (NOC) instantly. However, the time elapsed from where the revocation is initiated to where it can be acted on is inconsistent with the risks of retaining access privileges for an unauthorized person.

The difficulty in achieving real time synchronization between the IAO, ADR, DEERS and the Component personnel systems is perhaps the primary reason why the dependability of access authorizations will remain a security risk. From a networking standpoint an on-line connection between IAO and a NOC is feasible.  The greatest obstacle here is the continued absence of a DoD-wide integrated personnel database.

The management of virtual desktop and smart phone clients from data centers offers an opportunity to simplify the management of software that controls CAC readers. However, the greatest gains would accrue from enabling the real-time connectivity between NOC controls and the DEERS databases.